Bill
October 8, 2022, 5:04am
21
You look like me:
BusyBox v1.35.0 (2022-09-03 02:55:34 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.0, r19685-512e76967f
-----------------------------------------------------
root@Dachshund:~# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1
root@Dachshund:~#
maurer
October 8, 2022, 5:42am
22
No, you shouldn't be worried.
If you don't expose any service to the internet you can safely wait for the next version that will likely have the fix
It’s a long time ago but wasn’t 19.07 based on mbedTLS or OpenSSL instead of WolfSSL?
WolfSSL as standard came with 21.02 if remember right.
ray308
October 8, 2022, 8:04am
24
Had the same problem as @Bill , my wifi client mode didn't work anymore. (I assume it uses wolfSSL) After I removed the dependency package it worked again.
After this dependency fix I had no dns resolving anymore. I did use https-dns-proxy, but after this 'upgrade' it will not start the service and it doesn't change the settings in dhcp and dns back to default if it's not starting.
I'm using OpenWrt 21.02.3 on a respbarry pi 4b
Found https://github.com/openwrt/packages/issues/19547
I'm not alone I see.
1 Like
Bill
October 8, 2022, 2:33pm
25
@ray308 Did you get it fixed?
opened 11:14AM - 07 Oct 22 UTC
closed 05:18AM - 08 Oct 22 UTC
Maintainer: @tapper82 , @stangri , @ynezz , @neheb
Environment: OpenWrt 21.02.3… r16554-1d4dea6d4f - x86_64 - Generic v0 (ImageBuilder)
Description:
------------
I think since PR https://github.com/openwrt/packages/pull/19513 the actual packages @ repo [downloads.openwrt.org](https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/packages/) will stop SSL support for curl.
Maybe in case of the missing commits in branch `openwrt-21.02` ?:
https://github.com/openwrt/packages/commits/master/net/curl/Makefile
-> https://github.com/openwrt/packages/commit/312ab68be498f0d895d8d4dc5b2f0fc857e45eb9
-> https://github.com/openwrt/packages/commit/b814eec3b59beec0e5610c3f0eda4429ba23132c
-> https://github.com/openwrt/packages/commit/03a32717bc15d8dd0c99e200dd64ae0bbd558c35
-> https://github.com/openwrt/packages/commit/c812153f8d4f73b3f82cb19e3b98c84ca680eecb
https://github.com/openwrt/packages/commits/openwrt-21.02/net/curl/Makefile
<br/>
<br/>
```
curl -v https://openwrt.org
* Protocol "https" not supported or disabled in libcurl
curl: (1) Protocol "https" not supported or disabled in libcurl
```
#### Syslog:
```
root@OpenWrt:~# grep -i 'https-dns-proxy' /var/log/syslog
Fri Oct 7 12:37:22 2022 user.notice https-dns-proxy: Starting service ✓
Fri Oct 7 12:37:22 2022 daemon.info https-dns-proxy[4494]: [W] 1665139042.858021 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:23 2022 daemon.info https-dns-proxy[4494]: [F] 1665139043.083623 https-dns-proxy-2021-11-22/src/https_client.c:317 08C8: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:28 2022 daemon.info https-dns-proxy[6972]: [W] 1665139048.086884 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:28 2022 daemon.info https-dns-proxy[6972]: [F] 1665139048.244363 https-dns-proxy-2021-11-22/src/https_client.c:317 EA6E: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:33 2022 daemon.info https-dns-proxy[7388]: [W] 1665139053.246573 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:33 2022 daemon.info https-dns-proxy[7388]: [W] 1665139053.249886 main.c:119 EA6E: Query received before bootstrapping is completed, discarding.
Fri Oct 7 12:37:35 2022 daemon.info https-dns-proxy[7388]: [F] 1665139055.593302 https-dns-proxy-2021-11-22/src/https_client.c:317 A465: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:40 2022 daemon.info https-dns-proxy[7430]: [W] 1665139060.596336 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:41 2022 daemon.info https-dns-proxy[7430]: [F] 1665139061.270342 https-dns-proxy-2021-11-22/src/https_client.c:317 89C1: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:46 2022 daemon.info https-dns-proxy[7451]: [W] 1665139066.271223 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:46 2022 daemon.info https-dns-proxy[7451]: [W] 1665139066.273961 main.c:119 89C1: Query received before bootstrapping is completed, discarding.
Fri Oct 7 12:37:46 2022 daemon.info https-dns-proxy[7451]: [F] 1665139066.601962 https-dns-proxy-2021-11-22/src/https_client.c:317 B7CC: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:51 2022 daemon.info https-dns-proxy[7495]: [W] 1665139071.604249 main.c:236 HTTP/3 is not supported by current libcurl
Fri Oct 7 12:37:51 2022 daemon.info https-dns-proxy[7495]: [W] 1665139071.604720 main.c:119 A465: Query received before bootstrapping is completed, discarding.
Fri Oct 7 12:37:51 2022 daemon.info https-dns-proxy[7495]: [W] 1665139071.604844 main.c:119 7CC2: Query received before bootstrapping is completed, discarding.
Fri Oct 7 12:37:53 2022 daemon.info https-dns-proxy[7495]: [F] 1665139073.683444 https-dns-proxy-2021-11-22/src/https_client.c:317 A807: CURLOPT_SSLVERSION error 4: Error
Fri Oct 7 12:37:53 2022 daemon.info procd: Instance https-dns-proxy::instance1 s in a crash loop 6 crashes, 2 seconds since last crash
```
#### Installed packages (ERROR):
```
opkg list-installed | grep -i 'curl\|ssl\|https-dns-proxy'
curl - 7.83.1-2.1
https-dns-proxy - 2021-11-22-3
libcurl4 - 7.83.1-2.1
libopenssl-conf - 1.1.1q-1
libopenssl1.1 - 1.1.1q-1
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
luci-ssl - git-20.244.36115-e10f954
openssl-util - 1.1.1q-1
php8-mod-curl - 8.0.24-1
px5g-wolfssl - 4.1
wget-ssl - 1.21.1-1
```
#### Installed packages (WORKING):
```
opkg list-installed | grep -i 'curl\|ssl\|https-dns-proxy'
curl - 7.83.1-1
https-dns-proxy - 2021-11-22-3
libcurl4 - 7.83.1-1
libopenssl-conf - 1.1.1q-1
libopenssl1.1 - 1.1.1q-1
libustream-wolfssl20201210 - 2022-01-16-868fd881-1
libwolfssl5.2.0.99a5b54a - 5.2.0-stable-2
luci-ssl - git-20.244.36115-e10f954
openssl-util - 1.1.1q-1
php8-mod-curl - 8.0.20-1
px5g-wolfssl - 3
wget-ssl - 1.21.1-1
```
best regards
realizelol
Summay_Old
I didn't say I had a problem, I just had an collected error. That resolved itself once I upgraded the other two packages.
rhester states that following certain steps prevents the collected errors.
Bill:
Having had the same output as @dubefab and @alistair :
Via LuCi I removed libwolfssl5.4.0.ee39414e
with errors.
Then via Putty
opkg install px5g-wolfssl wpad-basic-wolfssl
Output now looks updated.
opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1
Yet to your problem concerning wifi I can not chime in as my router's wifi is not enabled.
^^ is being addressed.
https://github.com/openwrt/packages/pull/19548
ray308
October 8, 2022, 3:44pm
26
Yes it's fixed. As in the github threat.
19.07 didn't come with any such crypto library by default. No HTTPS LuCI, no WPA3, and no connecting to HTTPS servers without installing extra packages.
AJCxZ0
October 9, 2022, 1:02am
28
Upgraded all updates packages* on my TP-Link Archer C2600 and two A7 v5 devices running 22.03.
root@ap2:~# opkg update
root@ap2:~# opkg list-upgradable
root@ap2:~# opkg upgrade luci-app-opkg luci-mod-system libustream-wolfssl20201210 wpad-basic-wolfssl px5g-wolfssl hostapd-common wireless-regdb
root@ap2:~# /etc/init.d/uhttpd restart
root@ap2:~# opkg list-installed | fgrep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1
So far all appear to be accessible and operating normally.
*[I remain aware that this is not recommended, but still do so regularly with no adverse impact since one incident many versions ago.]
wterlave89:
no WPA3
wpa2 is also a crypto solution, actually very similar to wpa3, and I assume a lot of users installed some of the luci-ssl variants anyway.
https://openwrt.org/releases/19.07/notes-19.07.0?s%5B%5D=wpa3
And WPA3 was introduced on 19.07 also because I myself tried to get it working on the wrt3200acm.
For all three of the things I mentioned, I was talking about out-of-the-box support, as I said. 19.07 required installing additional packages, because it did not ship with wolfSSL, mbedTLS, or OpenSSL by default. WPA2 does not require any of those libraries.
Point being, 19.07 and earlier are not vulnerable to this issue unless the user made a deliberate effort to install wolfSSL.
Another point in favor of hardening OpenWRT . There should be instructions in there (but aren't) about how to disable Luci when not needed. A quick ssh can re enable whenever admin is needed. Threat model for wireless administration
root@OpenWrt:~# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
**libwolfssl5.2.0.99a5b54a - 5.2.0-stable-1** #vulnerable
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
px5g-wolfssl - 3
wpad-basic-wolfssl - 2020-06-08-5a8b3662-40
opkg update; opkg upgrade libwolfssl libustream-wolfssl
opkg upgrade px5g-wolfssl wpad-basic-wolfssl
root@OpenWrt:~# opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
px5g-wolfssl - 4.1
wpad-basic-wolfssl - 2020-06-08-5a8b3662-41
reboot
Looks fine now. You could combine the commands but I am following KISS.
22.03.1 and 21.02.4 will be released soon
2 Likes
Hi, i just upgraded for 21.x to 22.x and i have the same your versions installed. Have you tested / used https-dns-proxy
if it work now? Thanks
1 Like
Warlock
October 10, 2022, 4:20pm
35
Thanks. Installed.
Using BanIP, so sticking with 21 releases.